> I just discovered a potential security issue
> in the statspages. Stats are displayed also
> for objects that a user doesn't have access to.
> This is a big issue when serving multiple
> customers with one instance of CMS.

Tell me jbjoerk, what would be a good solution for you?
a) Display stats only to admin.
b) Display full stats with titles/URLs obscured for items the users has no access.
c) Display stats only for objects the user has access to (but calculating stats for all objects).
d) Display and calculate stats only for objects the user has access to.

If you read the bugtrack report you'll see why the stats page was designed as is. However, I want to know how can I make it better. Let me know.

There is a quick workaround, as Mark Coudriet already wrote:
mark> Go into the CMS admin & set "Max number
mark> of documents to report in stats" to 0.

If you want to disable the icon for the stat page do the following:

Edit the cm/cm_lib.inc.php file and find the fcm_title_nav2 function (it should be around line 376).

> Thank you for a very descriptive answer.
> The optimal solution would be D but I can
> understand that this would create a lot
> more overhead when generating the page.
> The next best solution would be to only
> allow the superuser to see the stats - set
> on the config page, perhaps with a warning
> about the consequences of allowing access
> to everyone.

I'll do that in the next version.

> Showing incomplete stats would likely lead
> to confusion among the users.

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot post attachments in this forum